Add Sigscanner workflow (#24)

* Add Sigscanner workflow

* Add README

* Add CODEOWNER

Author: timweri

.github/CODEOWNERS

@@ -1 +1,2 @@
 * @smartcontractkit/devex-cicd
+.github/workflows/sigscanner-check.yml @smartcontractkit/prodsec-public

.github/workflows/sigscanner-check.yml

@@ -0,0 +1,70 @@
+name: "SigScanner Check"
+
+on:
+  merge_group:
+  pull_request:
+
+permissions: {}
+
+jobs:
+  sigscanner-check:
+    runs-on: ubuntu-latest
+    # Skip on merge group events
+    if: ${{ github.event_name == 'pull_request' }}
+    steps:
+      - name: "SigScanner checking ${{ github.sha }} by ${{ github.actor }}"
+        env:
+          API_TOKEN: ${{ secrets.SIGSCANNER_API_TOKEN }}
+          API_URL: ${{ secrets.SIGSCANNER_API_URL }}
+          COMMIT_SHA: ${{ github.sha }}
+          ACTOR: ${{ github.actor }}
+          REPOSITORY: ${{ github.repository }}
+          EVENT_NAME: ${{ github.event_name }}
+
+        run: |
+          echo "🔎 Checking commit $COMMIT_SHA by $ACTOR in $REPOSITORY - $EVENT_NAME"
+
+          payload=$(printf '{"commit":"%s","repository":"%s","author":"%s"}' \
+            "$COMMIT_SHA" "$REPOSITORY" "$ACTOR")
+
+          max_attempts=3
+          attempt=1
+
+          # Retry on 5XXs
+          while [[ $attempt -le $max_attempts ]]; do
+            echo "Attempt $attempt/$max_attempts"
+
+            CODE=$(curl \
+              --silent \
+              --output /dev/null \
+              --write-out '%{http_code}' \
+              --max-time 20 \
+              -X POST \
+              -H "Content-Type: application/json" \
+              -H "Authorization: $API_TOKEN" \
+              --url "$API_URL" \
+              --data "$payload")
+
+            echo "Received $CODE"
+            if [[ "$CODE" == "200" ]]; then
+              echo "✅ Commit is verified"
+              exit 0
+            elif [[ "$CODE" == "400" ]]; then
+              echo "❌ Bad request"
+              exit 1
+            elif [[ "$CODE" == "403" ]]; then
+              echo "❌ Commit is NOT verified"
+              exit 1
+            elif [[ "$CODE" =~ ^5[0-9][0-9]$ ]]; then
+              if [[ $attempt -lt $max_attempts ]]; then
+                echo "Retrying in 15s..."
+                sleep 15
+              fi
+            else
+              echo "❌ Unexpected response"
+              exit 1
+            fi
+
+            attempt=$((attempt + 1))
+          done
+          exit 1

README.md

@@ -27,6 +27,10 @@ Uses [patrickhuie19/codeowners-validator](https://github.com/patrickhuie19/codeo
 
 Enforces that every repository has a CODEOWNERS file.
 
+### Sigscanner check
+
+Enforces that commits are signed by allowlisted keys.
+
 ## Help
 
 If you are experiencing a blocking error from a workflow in this repository, please reach out to us on `#team-devex`.